Users can bypass maxPositionsPerAccount due to improper checks
Summary
The config globalConfiguration.maxPositionsPerAccountis used to ensure that number of positions of tradingAccountdoesn't exceed certain threshold. However, due to insufficient checks, traders can have more positions than maxPositionsPerAccountin their trading account.
Vulnerability Details
The createMarketOrderchecks that whether the newly created order exceeds number of positions of account than the mentioned threshold. However, there is no such checks present while settlement of orders. Also, due to off-chain component, users can bypass this check easily.
Consider the following example:
maxPositionsPerAccountis 5.
currentActivePositionsOfTraderis 3.
Trader place offchain orders in two different perp market.
Trader creates new market order.
Market order is settled and currentActivePositionsOfTraderis 4.
Off-chain orders is settled and currentActivePositionsOfTraderis 6.
Impact
Traders can have more positions than maxPositionsPerAccountin their trading account. Due to this, running out of gas in functions that loop over the active positions of accounts such as liquidation etc.
Tools Used
Manual review
Recommendations
Ensure that the settlement of trade doesn't exceed trader's active position than required threshold.
Lead Judging Commences
`maxPositionsPerAccount` may be exceeded by combining onchain and offchain orders
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.